LICENSE: _may be_ licensed to use source code; incorrect license grant

Posted by MallocVoidstar 4 days ago

LICENSE: _may be_ licensed to use source code; incorrect license grant(github.com)

171 points | 155 commentspage 3

ilaksh 4 days ago|

This looks like either they are deliberately trying to trick people into thinking it's the MIT license, or have accidentally made the most confusing and nonsensical license ever.

MIT licensed binary in a source code repo does not make any sense.

This is a huge red flag.

Ekaros 4 days ago|

Sounds like potentially expensive legal case if they try to enforce it. Opens it up to many arguments in many jurisdictions.

paxys 4 days ago||

I dug around for ~10 minutes and it's probably not an exaggeration to say that Mattermost might have the most confusing licensing of any software product in existence.

From the license page on their repo (https://github.com/mattermost/mattermost/blob/master/LICENSE...):

> 1. You are licensed to use compiled versions of the Mattermost platform produced by Mattermost, Inc. under an MIT LICENSE

So just the compiled versions, not the source code. Ok, at least that is clear. But - the MIT license explictly allows for modification and redistribution. So can I do that?

The next line.

> See MIT-COMPILED-LICENSE.md included in compiled versions for details

Except this file doesn't exist anywhere in the repo or outside.

> You may be licensed to use source code to create compiled versions not produced by Mattermost, Inc. in one of two ways:

> 1. Under the Free Software Foundation’s GNU AGPL v3.0, subject to the exceptions outlined in this policy; or > 2. Under a commercial license available from Mattermost, Inc. by contacting commercial@mattermost.com

What does "may be licensed" mean? Do I have to contact them for a license? Or is an AGPL license implied?

> You are licensed to use the source code in Admin Tools and Configuration Files (server/templates/, server/i18n/, server/public/, webapp/ and all subdirectories thereof) under the Apache License v2.0.

Sure, let's throw another license in there, because there weren't enough already.

> We promise that we will not enforce the copyleft provisions in AGPL v3.0 against you if your application ... [set of conditions]

WTF does a "promise" mean here? Is this actually AGPL or not?

Then they have copy pasted the entire Apache License, even though the project isn't licensed under Apache. Why??

Oh but that's not all.

There's a separate license page at https://docs.mattermost.com/product-overview/faq-license.htm..., which says:

> Mattermost Team Edition (Open Source) - Open Source MIT License.

Uh, what? That goes against everything said in LICENSE.txt. So now we are back to fully open source?

ethin 4 days ago||

Wouldn't that license also violate the AGPL? I mean, it does say, in section 7:

> All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying

So, my interpretation is that I am free to license it under the AGPL; there is no "well, we might decide to do that", and I can strip all conditions they place upon me and comply only with the AGPL, and legally there is nothing they can do about it.

KolmogorovComp 4 days ago||

yes, but that's not what happen here. this part of the AGPL is there to avoid people adding more restrictions, but here mattermost is loosening up the restrictions.

> > We promise that we will not enforce the copyleft provisions in AGPL v3.0 against you if your application ... [set of conditions]

ethin 4 days ago||

I mean... I don't really see how they are. Technically they are but at the same time they aren't, because the set of conditions make the loosening of the AGPL a conditional thing. Which to me sounds like a violation of the AGPL because it's a further restriction: "We will (not) hold the AGPL against you... As long as you do these things..." I... Really don't think the AGPL was written to be... Abused? That way.

mappu 4 days ago||

You can see the spirit of what they're going for also with the MIT binaries - that's also like saying the whole project is AGPL, but a loosening for using it as-is.

Given their goals seem to be

- Permissive use without modification, even in combined works ("MIT binaries"); but

- Copyleft with modification, including for the Affero "network hole", or commercial terms

could you suggest a clearer license option? AGPL triggers copyleft across combined works, LGPL doesn't cover the network hole, GPL has both problems. Their goals seem really reasonable, honestly, there should be a simple answer. It seems messy but I like it more than the SSPL/BSL/other neo-licenses.

ethin 4 days ago||

I don't know anything more reasonable, but I would argue that this (isn't) reasonable precisely because it causes so much confusion due to the ambiguity and their refusal to clarify exactly what the terms really are.

codeflo 4 days ago||

"We promise that we will not enforce" is perhaps a funny way not to grant a license, but making it sound like they do. This seems almost purposefully designed to look open-source to laypeople, while being carefully written in a way that ensures it will be vetoed by any corporate lawyer vetting the license.

rlpb 3 days ago||

Is "we promise not to enforce" legally binding I wonder, in which case it is de-facto a license? IANAL but it's an interesting concept.

scotty79 4 days ago||

I think more software people should be doing that. Just confusing the hell out or lawyers (armchair and proper).

constantcrying 4 days ago||

You should read the license, it seems somewhat insane to be honest: https://github.com/mattermost/mattermost/blob/master/LICENSE...

londons_explore 4 days ago||

Looks pretty logical to me...

It is AGPL 3.0, except they give you slightly more rights with a promise not to enforce certain provisions in certain circumstances.

Hamuko 4 days ago|||

It's not AGPL 3.0. The binaries are MIT, the codebase (from where the MIT binaries are built from) is AGPL 3.0, except for the bits of the codebase that are Apache 2.0, and there's some kind of a promise about not enforcing a part of AGPL if you don't link to their platform directly and exclusively use the bits of the code that are Apache 2.0, and also don't make a modified version of the software. And also you can just license it commercially too.

wccrawford 4 days ago||

What do you think about it sounds insane?

SpicyLemonZest 4 days ago||

It says you "may be licensed" to use the source code under AGPL v3.0, but never actually makes an unambiguous statement that suchandsuch code is licensed under AGPL v3.0.

The concept of MIT licensing a compiled software artifact, but not the code used to generate the artifact, is also extremely strange.

mbauman 4 days ago||

Right, the correct way here is to simply grant _everyone_ a license to _everything_ under the terms of the AGPL (or whatever). You can then separately license portions under other terms.

You don't need to note the commercial licensing option in the license itself; it's irrelevant to that grant. You just state that elsewhere.

chobeat 4 days ago||

Go on Zulip or Anytype

dooglius 4 days ago||

The license seems perfectly clear in that it's multiply-licensed under AGPL, MIT, and corporate licensing based on different use cases. Maybe this guy has reading comprehension issues, but more likely he's just unhappy with the corporate part and wants to stir drama.

rcxdude 4 days ago||

It does create confusion because adding extra clauses onto whether you can use the AGPL kind of defeats the point of the AGPL, and creates a contradiction because the different flavors of the GPL generally all have language that tries explicitly to prevent such a thing, which is a pretty classic piece of confusion (I've had it when negotiating employment contracts and it's shocking how many people seemingly just never read the documents they're offering).

(EDIT: though, having read the whole document, it seems like there is just a trademark carve-out, which is explicitly allowed under the AGPL, so this seems reasonably straightforward, except for the strange 'we promise not to enforce copyleft if you don't modify the code' which seems entirely redundant. Oh, and the 'licensed to use source code to create compiled version' which seems like a very strange phrasing)

epistasis 4 days ago|||

Hopefully I'm not violating copyright by taking this small chunk of their LICENSE.txt, but this appears to be the language that some want clarified:

https://github.com/mattermost/mattermost/blob/master/LICENSE...

----

    You are licensed to use compiled versions of the Mattermost platform produced by Mattermost, Inc. under an MIT LICENSE
    
    - See MIT-COMPILED-LICENSE.md included in compiled versions for details
    
    You may be licensed to use source code to create compiled versions not produced by Mattermost, Inc. in one of two ways:
    
    1. Under the Free Software Foundation’s GNU AGPL v3.0, subject to the exceptions outlined in this policy; or
    2. Under a commercial license available from Mattermost, Inc. by contacting commercial@mattermost.com

moeffju 4 days ago||

"Subject to the exceptions" conflicts with the "no exceptions" wording in the GPL licenses, so I don't even see how any of this constitutes a valid license

gowld 4 days ago|||

AGPL does not say "no exceptions". AGPL explicity allows exceptions:

https://github.com/mattermost/mattermost/blob/master/LICENSE...

https://www.gnu.org/licenses/agpl-3.0.en.html

gpm 4 days ago|||

I read the exceptions as a grant of additional rights to mattermost's copyright (but not to third parties), I don't think that conflicts.

I'm not sure that they actually granted a GPL license at all though. I could see this document being read as an advertisement that one might be for sale instead of a grant...

(Not a lawyer)

throwaway150 4 days ago|||

Licensing should never be left to "reading comprehension". If there is any doubt about the terms, a clarification should be requested. A clarification was requested here. The requested clarification was declined. If this matter was really so simple that simple "reading comprehension" would solve it, the project maintainers could have said so. But they didn't. And that they didn't holds more weightage than what some random stranger has to say about "reading comprehension".

MD87 4 days ago|||

... also some parts are Apache, and the wording around the AGPL bit is very weird:

> ... licensed to use source code to create compiled versions ...

Why's it calling out compiling specifically? Are they trying to imply you can't modify/distribute/etc the source? Presumably that would be a "further restriction" per the AGPL and hence ignorable, but it's sloppy at best and misleading at worse, which isn't great for a license document...

MallocVoidstar 4 days ago|||

They could simply say that, then, instead of saying you might be able to use it under the AGPL.

nimih 4 days ago||

They didn't say you "might" be able to use it under the AGPL, but that you "may" be licensed to use it. Which, as a native speaker of American English, seems to be relatively clear in its meaning along the lines of what the GP poster stated. Of course, the various meanings of "may" in English might be subtle enough that I'd readily believe it's less clear to non-native speakers (or maybe even speakers of a different dialect), and it's unfortunate that Mattermost's lawyers aren't interesting in cleaning up the language.

almosthere 4 days ago||

if there is no license, then it is public domain if they put code on a website

eikenberry 4 days ago||

This is not true in the US where everything is automatically copyrighted and protected, so nothing goes directly into the public domain (even if the author wants it). Thus no license means that you have no license to use the code legally.

throwaway150 4 days ago|||

Correct. That's not true in Europe either. IIRC it's not true in Asia either. I don't understand why so many people who don't have even the most basic understanding or experience of licensing feel they must post their opinion as if they were facts. People are certainly entitled to their opinion. But so many comments here are speaking absolute nonsense about licensing as if they were facts. I genuinely don't understand why people feel compelled to do so.

redwall_hp 4 days ago|||

Or any country the US has a reciprocal copyright treaty with, which is all but a vanishingly small set of countries.

A work is protected by copyright the moment it's authored, and all rights are reserved unless it's explicitly licensed otherwise.

fwip 4 days ago||

Not applicable and also incorrect.

michaelt 4 days ago|

To me, this seems kinda reasonable.

The reality is licenses are all nonsense and none of it makes any sense. There could be secret patents nobody knows about. That precise wording written by American lawyers might not hold up in Chinese courts. There might be two compatible licenses, but one is 20x the length of the other; obviously some legal expert thought those extra words were needed - but are they? What's going on with linking and derivative works? Do you need to copy-and-paste the full legal blurb into every single file, or not? Why are some sections written in all caps, and does the reason for doing that apply globally? What if someone claimed to have the right to contribute code to an open project but actually had an employment contract meaning the code wasn't theirs to transfer? What's the copyright status of three-line stackoverflow answers?

The truth is nobody knows, and nobody cares. You and I won't get sued, probably, and if we do it's not like we'd have avoided it by reading the license. Might as well ignore it, like people ignore website terms of use and software click-through licenses and other legal mumbo-jumbo.

On the other hand, if you're the kind of gigantic enterprise that has policies on software licenses and a team of in-house lawyers and you can't use this software without greater license clarity? Well, you can get that licensing clarity with the enterprise version of the software.

throwaway150 4 days ago||

I have used many open source tools and I have convinced my company to buy the commercial license of the said tools to get the enterprise version and support. Win-win for both parties. I use and improve my skills on the open source version of the tools I love. Our company uses great tools. The project maintainers get paid.

But I don't think I'll ever buy an enterprise version of the software which can't get the simple matter of open source licensing right. It isn't that hard. Thousands of developers are doing it.

If the tool was totally enterprise version only, I'd probably have less qualms about it. But to advertise a tool as open source license but then violate the open source licensing method both in spirit and the letter of the law is just too unprofessional for me that I'd steer clear of them in future and discourage anyone I know from spending their money on them.

SpicyLemonZest 4 days ago|||

Restrictions like this, where your code is only available for use for certain purposes by certain kinds of users, are explicitly rejected by both the open source and free software movements. If a developer wants to license their code this way, they should admit that what they're building is not an open source platform. Then they can simply use one of the licenses like CC NC or SSPL that are designed for that purpose, instead of trying to stitch together an unfree license out of a bunch of free ones.

bogwog 4 days ago|||

The AGPL accomplishes the same thing, except there is no ambiguity and you never have to wonder "could I be sued for using this software?"

ethin 4 days ago|||

It isn't really reasonable though. The word "may" implies possibility, not absolutism. So reading the sentence logically, at least to me, saying that I "may be" able to license it under the AGPL means that I might or might not be able to do that... And I have no way of knowing if I can or can't unless I... What, contact them?

leoedin 4 days ago||

I think in this case it implies choice for the user. There’s an implied “if you want to”. You may use this software if you want to in one of two ways:

That’s pretty clear to me (a native speaker from the UK) - i can’t really see how else it could be interpreted. As another poster said, it’s the same “may” as “you may go to the washroom” or “you may enter now” - which implies consent from the speaker.

stonogo 4 days ago||

Except it's passive voice here; the conditions modify the grantor, not the reader. You may be licensed if we feel like it to use source code to create compiled versions etc.

No "you may enter now" but "you may be allowed to enter."

thisislife2 4 days ago||

> But nobody will get sued, and that's the only thing that matters.

Do you really want to bet your business on that? Vizio thought the same when using GPL code, and now they are in court. Software Freedom Conservancy sues Vizio for GPL violations - https://www.zdnet.com/article/software-freedom-conservancy-s...

wmf 4 days ago|||

Vizio (and every other embedded vendor) knows they're breaking the GPL and they just don't care. It's not an analogous situation.

razingeden 4 days ago|||

I don’t think they’re worried about “my business.”

Open source is notorious for being implemented in $$$ COTS and commerce and then contributing $0 in money and then even less in contribs bug fixes or sharing in house tweaks,isn’t this what Wordpress has been melting down over for a year or two now?

And I’m sure many more projects are pissed off or resenting their chains but not making an ugly scene about it.

Something has to give here.

I don’t have a dog in this fight other than to say that what mattermost went with here “is a choice” , and I have “a choice” whether to accept these terms.

I’m interested in watching how it plays out though. They cast their die. Problems have solutions. We could all get into whether this solution is viable or not — doesn’t matter this is what they went with and they made it clear they’re not taking user input on it. I’m not even a user so I expect them to care even less about my thoughts.

Im supportive of anyone trying to find an equitable balance but maybe that’s a situation where they could roll their own license with these clauses and exclusions.

Its not like Microsoft or iTunes user agreements aren’t complete bullshit, yet people click okay and use all that.